Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

Of the 301 vulnerabilities, 49 are rated with a CVSS (Common Vulnerabilities Security Scoring) score of 9.0 or higher, with only a single issue garnering the top severity rating of 10.0 The October CPU became generally available on Oct.16 and includes patches for both first-party and third-party components that Oracle develops and ships in its products.

"As with previous Critical Patch Update releases, a significant proportion of the patches is for third-party components (non-Oracle CVEs, including open source components)," Eric Maurice, director of security assurance at Oracle, wrote in a blog post.

Further reading

While 301 flaws is a large number, it is actually fewer than the 334 that Oracle patched in the last CPU that it released on July 18. Looking at the most severe flaw across the 301, the single CVSS 10.0 was given to the CVE-2018-2913 flaw in Oracle's GoldenGate software.

The GoldenGate flaw was one of three that security researchers working at Tenable discovered. In a research note detailing the CVE-2018-2913 flaw, Tenable referred to the issue as an unauthenticated remote stack buffer overflow condition.

"A stack buffer overflow can occur if an unauthenticated remote attacker provides a malformed command," Tenable stated in its advisory. "An attacker can trigger the condition by simply sending a long command."

Java

Looking specifically at the Java-related flaws in the October CPU, there are 12 Java SE flaws, 11 of which are remotely exploitable without user authentication. The WebLogic Java application server is being patched for 12 issues, with eight being remotely exploitable without user authentication.

Some of the Java issues are related to deserialization risks, which have been an ongoing concern for several years.

"I do not believe [Java deserialization] is a design flaw as such as issues with additional development steps required to harden and hide Java objects," Joseph Kucic, chief security officer at Cavirin, told eWEEK. "Obviously, this is avoided by moving to use a safe and standard data interchange format such as JSON."

Apostolos Giannakidis, security architect at Waratek, told eWEEK that Oracle did a lot of cleanup work in the October CPU, fixing flaws that went back to 2014. The Java-issued patches by Oracle largely impact Java 8 and prior releases and not the newer updates. Java 11 was released on Sept. 25 as the second major update for Java in 2018.

"Oracle, like all software vendors, relies largely on users and third-party researchers to report flaws and potential fixes," Giannakidis said. "Utilization is relatively low for Java 9 and 10, which translates into fewer users available to report flaws."

Database

Oracle's namesake database is only getting three security fixes as part of the October CPU, two of them being remotely exploitable without the need for any user credentials.

The MySQL database is getting patched for 38 security issues, with only three being remotely exploitable without authentication. Of the three, the CVE-2018-11776 issue in MySQL Enterprise Monitor is the most critical, with a CVSS score of 9.8. The flaw is derived from the Apache Struts component used in the Monitor tool.

"The easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise MySQL Enterprise Monitor," the advisory warns. "Successful attacks of this vulnerability can result in the takeover of MySQL Enterprise Monitor."

Oracle Fusion

One of the single largest sets of vulnerabilities in the October CPU is in the Oracle Fusion Middleware portfolio, which is getting 65 new security fixes. Oracle's E-Business Suite is being patched for 16 issues.

Overall, it's not clear if security got better or worse for Oracle over the course of 2018, according to Matias Mevied, Oracle security specialist at Onapsis.

"Analyzing the number of vulnerabilities from 2015 to 2018, there are some indicators that Oracle is fixing almost double the [number of] vulnerabilities in 2018 than 2015, with 613 vulnerabilities fixed in 2015 and 1,128 in 2018," Mevied told eWEEK. "This can happen for different reasons: Oracle is improving its security, patching more vulnerabilities; Oracle incorporates more products; there are more researchers reporting vulnerabilities; and also it could be that the Oracle applications are more vulnerable, but we don’t think this is the most relevant or probable issue."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Advertiser Disclosure:
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.